I'm working with the affine representations of points of the Secp256k1 elliptic curve (from Bitcoin).

I've read many papers that show that computing some functions, like $f(P)=3P$ can be computed faster than the standard way. Other papers say that with some pre-computation, the field inversion can be amortized if $F^1(P) ... F^k(P)$ must be computed.

I need the fastest function $F(P)$ that, when applied to the last result iteratively, generates a sequences of points whose average period is large (I don't need any proof, it can be just large in practice).
To be fast I suppose it should be computed without field inversions. I don't mind to pre-compute some values.

For example, it could be $F(P) = 1.5P+4Q$ for a fixed $Q$. It doesn't matter which function it is, because I need it to generate random points in the curve. The probability distribution doesn't matter either.
(notation: $1.5$ is the point halving of $3P$)

Motivation: Solutions to this problem may be helpful for generating vanity addresses.

The standard way to generate random points is to select a random value for X, check to see if there's a solution for the elliptic curve equation with that value, and if these is, pick one of the two possible values for Y. Or, do you need random values with known relationships, or for which you can compute output number N+1 given output number N?
–
ponchoMay 23 '13 at 16:03

Yes, I need a way to track a point back to source points P1, P2, Pn (with a known relation) and that's why I had though about a linear function F on the previous points.
–
RichardMay 23 '13 at 18:07

1

I bet this is a Bitcoin-related question, in which case although people say it uses a Koblitz curve it is in fact not one. I think I have a good candidate solution for your problem but it works for a composite modulus and only if the group order is kept secret. If that's useful then let me know. If you're working in affine coordinates and you want to generate new points without inversions then you're probably limited to the Frobenius endomorphism.
–
Barack ObamaMay 24 '13 at 0:04

1

Can you describe what problem you actually want to solve?
–
CodesInChaosMay 24 '13 at 5:47

1

I have some experience with Bitcoin's curve and I'm very confident that you will be unable to avoid an inversion for your problem as stated. I'm also quite confident that the restrictions you have specified above are more restrictive than are really necessary. Perhaps you can let us know whether you are a) trying to break the curve, b) generate vanity addresses, c) implementing some deterministic wallet scheme or d) implementing transactions which third parties can't link to an address.
–
Barack ObamaMay 24 '13 at 23:20

With your curve, you can use the Gallant-Lambert-Vanstone (GLV) method to answer your question. Indeed, the equation of your curve is: $$y^2=x^3+7.$$ Since $p$ is congruent to $1$ modulo $3$, there are cube roots of unity modulo $p$. Let:
$$j=55594575648329892869085402983802832744385952214688224221778511981742606582254 \pmod{p}.$$ You can check that $j^3\equiv 1\pmod{p}$. The complex multiplication by $j$ sends $P=(X_P,Y_P)$ to $P'=(jX_P,Y_P)$.

Finally, multiplication by $J-1$ can be performed efficiently (one application of complex multiplication and one addition) and has high order. Don't use $J+1$: it has order $6$.

EDIT
$J^3$ is $1$ modulo the order of the curve, while $j^3$ is $1$ mod $p$.

This endomorphism of the curve is the projection of the complex multiplication of the curve $y^2=x^3+7$ over the rationals to the curve reduced mod $p$. This is why is is usually called the complex multiplication.

All in all, this gives a reasonably fast way to generate random looking multiples of $P$.

The full GLV method is much more than that since it speeds up multiplication by an arbitrary constant compared to regular double and add, but its basic idea relies on having an endomorphism that can be computed quickly.

This is not the GLV method - it's just using an efficiently computable endomorphism which is well known. Also, the solution described does not avoid the inversion required to produce an affine point. Finally, I'm not sure what's so "complex" about the multiplication by j!
–
Barack ObamaJul 11 '13 at 0:00